23
Phase 1: Vendor security questionnaire
Leveraging a vendor questionnaire is critical to understand how the vendor views medical
device security and the processes in place to keep devices secure once fielded.
• Gain a deeper understanding
of the following:
• How the vendor views
medical device security (e.g.,
program vs. product)
• How prepared the vendor is
to keep their medical device
secure once fielded
• The maturity of security
processes applied to secure
the vendor’s medical devices
throughout their lifecycle
Importance
• First and foremost, identify if vendor has an established
medical device security organization
• If so, assess the organization against a leading practice
product security framework
• Sample medical device security questions:
• Does a product security policy exist?
• Are product security design requirements established and integrated
into product design?
• Are product security risk assessments and technical security testing
completed on products prior to fielding?
• Are patch and vulnerability monitoring and management processes in
place to keep products secure once fielded?
• Are formalized processes in place to intake inquires from external
parties and respond accordingly?
• Do product engineers receive in-depth training to develop secure
products (e.g., secure coding)?
Sample high-level questions
Copyright © 2019 Deloitte Development LLC. All rights reserved.